Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

Swimming in Too Much EMR Data

Posted on May 31, 2012 I Written By

As Social Marketing Director at Billian, Jennifer Dennard is responsible for the continuing development and implementation of the company's social media strategies for Billian's HealthDATA and Porter Research. She is a regular contributor to a number of healthcare blogs and currently manages social marketing channels for the Health IT Leadership Summit and Technology Association of Georgia’s Health Society. You can find her on Twitter @JennDennard.

I don’t know about you, but the long holiday weekend was far too short for me. The majority of my family’s time was spent kicking off summer at various pools (with the appropriate sunblock, of course). Pools and swimming are somewhat second nature to me. The smell of chlorine takes me back to my high school and early college days of year round swim team, coaching summer swim league and sitting in a lifeguard chair in the brutal heat, whistle dangling around my neck.

As we gear up for my oldest daughter’s first summer swim meet this week (picking the appropriate swim cap, finding those goggles that fit just right and painting our toes the appropriate team color), I’m hoping that she’ll come to love the sights, sounds and smells of the pool as well. She certainly seemed to enjoy herself at one of the Memorial Day weekend pool parties we attended.

One family affair in particular found me wading into a conversation about Salesforce.com. Turns out a soon-to-be new member of the family works for the company, and I told him that, as part of my day job, I had been dabbling in using it. He quickly asked me about my likes and dislikes, at which point his fiancé chimed in with the lament that yes, Salesforce is an awesome tool, but more often than not, sales team do not have the time (and in some cases the inclination or training) to fully make use of all its bells and whistles.

I pondered her statement a bit further as I watched my daughter practice swimming with her new flippers, and realized that those of us that use SaaS (software as a service) technologies – like electronic medical records – tend to have the same complaint. Bells and whistles are great, but if I never have the time to learn to use them effectively to accomplish goals specific to my tasks, then I’m not going to use them at all. And I’m never going to pay much attention to the constant updates and add-ons these sorts of technologies usually come with.

I wonder if some EMR end-users feel the same way. They love the idea behind the technology, and certainly the government incentives that typically come along with using it, but after implementation find themselves with only enough time to utilize the EMR’s basic functions. I’d assume this might be a bigger problem for private practice physicians than for those working within a hospital.

I’m certainly not the first to ponder the relationship between Salesforce and EMRs. Our fearless leader John Lynn wrote about Practice Fusion building a personal health record on top of Salesforce way back in 2009, seemingly not long after Salesforce invested in the HIT company.

What I’m talking about, however, is the amount of time and energy required to truly take advantage of the vast oceans of meaningful data that can be culled from an EMR. Big data is great. Lord knows we’ve all been convinced of the value of that and the business intelligence tools that help us decipher it. I’d be interested to hear from doctors that have pondered the same thing. Are providers swimming in too much EMR information? Are they faced with more than they could ever possibly utilize? Does it come down to user experience and user-centric design?

Let me know what you think in the comments below. In the meantime, I’ll be helping my daughter perfect her backstroke.

ONCHIT Health IT Software Contests – Some Thoughts

Posted on May 30, 2012 I Written By

Priya Ramachandran is a Maryland based freelance writer. In a former life, she wrote software code and managed Sarbanes Oxley related audits for IT departments. She now enjoys writing about healthcare, science and technology.

Ken Terry at InformationWeek has an interesting editorial on Office of National Coordinator on Health IT’s (ONCHIT) latest contest for developers. This time the ONCHIT wants developers to come up with an IT product that can help ophthalmologists see better (yes, it’s a lame pun :)

Among the laundry list of requirements that this mythical software must possess: (I’m quoting from Terry’s article)

it must warehouse data from many different devices;
convert the data from proprietary formats to a single, vendor-neutral format;
enable clinicians to manipulate data and images;
and interface with existing EHR systems (presumably, just the top dozen or so)

Here’s the link to the slightly more detailed ONCHIT list. The first prize is $100,000 which is nothing to sneeze at.

Terry lists some problems uniquely faced by specialists such as oncologists and ophthalmologists: off the shelf EHRs don’t really grasp the nuances and details of information needed by specialists. Terry lists for example weight and height details that EHRs typically capture. Opthalmologists don’t really need this information. Typical EHRs on the other hand don’t allow for visual acuity information to be stored, at least not without (paid-for, and hence costly) customizations.

Looking at this issue as a some-time developer with some skin in the game, here’s how I see this process: ONCHIT wants to kick start IT development by getting developers interested via contests. This time it’s shining its light on opthalmologists. It has provided a list of not-so-impossible to design features, which might not capture all the nuances of features needed by ophthalmologists.

The major flaws I see in this process: the prize money is smallish, which means that the people that would be most interested in developing something would be the smaller IT shops. However, most IT developers don’t know enough about ophthalmology to truly understand what’s needed of their IT product. Till I saw Terry’s accompanying editorial, I was under the impression that this was a perfectly fine list of features to request. Also, I’m very underwhelmed by the “details” provided in the ONCHIT page. It is full of 20 dollar words, which will probably make little sense to the developers who are the intended targets of these words.

To be sure, you will see some health IT developers develop something and send them out, just because. Hell, it’s a contest, and there’s decent prize money.

Here’s what I’d rather have seen: maybe a short video that shows an ophthalmologist at work, a couple of minutes where s/he describes the main challenges s/he faces and provides the top 5-6 things that is on hizzer wishlist in an EMR. Or ONCHIT could facilitate talks between developers and specialists so each side understands what is required of them. Till then we’re doomed to square pegs in round holes software products that frustrate everyone soundly.

EHR Company Funding Risks – Large EHR Companies

Posted on May 29, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This is the fourth post in my EHR Company Funding Risks series that was started in response to my original post about the The Current Health IT & EHR Bubble. In this series, we’re looking at the following EHR company categories: Seed Funded, Well Funded, Positive Cash Flow, Large EHR Company, and Large Company Backed EHR. Next up is Large EHR companies.

Large EHR Companies
Most of the EHR companies that fit into this category are publicly traded EHR companies (with a few notable exceptions). Each of these EHR companies has their own story, but the majority include some mix of EHR acquisition or EHR merger to get into or expand their EHR market reach. Often this means that the EHR company has more than one EHR software under their purview.

Many of the larger EHR group practices and particularly the multi specialty clinics look to the larger EHR companies because these large EHR companies have usually worked to try and cover every EHR specialty in their EHR. In most cases the EHR software has been around for a very long time. This is good because then the software is often mature, but it’s also bad because it’s often built on old technology.

The large complaint against these large EHR companies is that they’re large and impersonal. That they are out of touch with the customer. Of course, this is kind of the nature of being a large company and having a large user base. Plus, you can imagine the challenge listening across a half dozen different EHR software products.

The risks associated with these large EHR companies software usually has much less to do with cash flow and much more to do with the decisions of the EHR company executives. With multiple EHR software under their umbrella, will they choose to close the one you use down and focus on their other EHR products? Will your EHR product get lost in the corporate shuffle of priorities? Sure, they’ll still support your EHR product if there’s an issue, but have they dedicated the company resources to your EHR or to another product in the company’s portfolio?

One argument that larger EHR vendors have made is that they’re the only companies that have the resources available to create the EHR software of the future. Some argue that many of the smaller EHR companies won’t be able to meet meaningful use stage 3, because they don’t have the resources available to do that. Not to mention when we eventually have to do Watson like Smart EHR software integrations across large data sets. I think the first part about doing MU is overstated. I think the jury is still out on how smart EHR software will become over time and how smart physicians require their EHR to be.

Next up, we’ll look at Large Company Backed EHR. Read all the posts in the EHR Company Funding Risks series.

A Memorial Day Message from EMR and EHR

Posted on May 28, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

A big thanks to all our military! We’re lucky to have so many brave people who fight for our freedoms. I found a series of Memorial Day Cartoons which each share a message of the real importance of Memorial Day. I’ll post them across the Healthcare Scene network as a way to honor and remember those people who sacrifice so much.

Have a great Memorial Day and enjoy time with your family as I will do also!

Protecting Children from Identity Theft, the Holy Grail of mHealth, and Using PHR to Improve Safety: This Week at HealthCareScene.com

Posted on May 27, 2012 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

EMR and HIPAA
The Real Money is in the ACO, Not Meaningful Use
As part of a series of posts that John’s doing about Accountable Care Organizations (ACO’s) John started an interesting discussion about where the money is in healthcare. We see so many EHR companies and doctors chasing after meaningful use dollars, when the reality could very well be that they’re spending a lot of time and money on something that has a limited and short lived pay out. Instead, many of them should consider focusing on the rapidly changing ACO environment since it will likely have long range and a dramatic impact on their financial future.

EHR Technical Breaches, Great Human and Computer Collaborations, and EMR in India
The number of people tweeting about EMR and health care IT is on the upswing. John posts about some of his most interesting finds in the health care twittersphere this past week. He adds his own commentary on the topics as well, such as disagreeing that the use of Cloud will increase security breaches and agreeing that EMRs should be on the “Six Great Human and Computer Collaborations” list.

EMR AND EHR
Veriphyr HIT Gives Littlest Victims of Patient Identity Theft a Fighting Chance
Adults aren’t the only ones that are susceptible to identity theft; children are some of the biggest targets these days. A recent study revealed that 10% of 40,000 children become victims. Veriphyr HIT recently donated a patient privacy breach detection system to a Minnesota hospital, and Jennifer Dennard decided to follow up on the motives behind this. Alan Norquist, CEO of Veriphyr, discussed with her his feelings on why there have been many hospital breaches recently, the time frame for the donation, and more.

Smart Phone Health Care 
Behavior Change May Be the Holy Grail of mHealth, but Should it Be?
Recently, an article was written by Sara Jackson titled mHealth’s Holy Grail: Behavior change. Over at Smart Phone HC this week, David discusses his thoughts on the article. According to David, he believes that the “human element” that is integrated into many apps today really needs to be human and that the best apps encourage behavior change after the use of the app is discontinued. Can the lack of human interaction with certain apps just make some issues worse? Express your thoughts on the matter over at Smart Phone HC.

EMR and EHR Videos
Nuesoft Podcast Series; Medical Practice Design: Meeting Practical Needs While Improving Patient Comfort
Jeffrey K. Griffin is a LEED certified architect that specializes in health care facilities. In this video he talks about different qualities that should be considered when designing (or in some cases, re-designing) a patient care facility. Topics such as sustainability, current trends in products and features, and what to avoid during this process are discussed.

EMR Thoughts
New York eHealth Collaborative Opens Application for Accelerator Program
The NYeC applications are now available for its accelerator program, New York Digital Health Accelerator. Companies that are selected for this program will receive up to $300,000 and have access to technology experts, NYeC-led EHR/HIE Interoperability Workgroup, and more. Check out this post on EMR thoughts for more information; the deadline to apply is coming up on June 1st.

Hospital EMR and EHR
Using PHR To Correct Provider Drug Lists Can Improve Safety
Medication list discrepancies is a problem to occurs more often than it should. A recent study published in the Journal of the American Medical Informatics Association found that when a patient reviewed their medication list through a linked PHR, the likelihood of unexplained errors dropped significantly. This raises the question of if patients should be shown their information located in their provider’s EMR. Also, would enough patients be willing to review PHR information? The discussion on this topic is over at Hospital EMR and EHR this week.

EHR Company Funding Risks – Positive Cash Flow EHR Companies

Posted on May 25, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This is the third post in my EHR Company Funding Risks series that was started in response to my original post about the The Current Health IT & EHR Bubble. In this series, we’re looking at the following EHR company categories: Seed Funded, Well Funded, Positive Cash Flow, Large EHR Company, and Large Company Backed EHR. Next up is Cash Flow Positive EHR companies.

Positive Cash Flow EHR Companies
This type of EHR company is usually a conservatively funded EHR company (often through non traditional funding mechanisms, or through a private buy out) that have grown large enough that their current user base provides enough cash flow to cover the EHR company’s ongoing expenses. The majority of these EHR companies have been around for a long time. In most cases they started out as EHR only companies (since everyone already had a PM system) and over time were able to grow a large EHR user base.

Instead of going after a large funding round, these EHR companies stayed small and chose to grow slow and steady over time. At this point, most of these companies have a large enough user base and enough cash flow that they’re in it for the long haul. While a sale could happen, most are content to continue growing the way they’ve done for a long time.

The users of these systems are usually happy with the software. Plus, they’ve often been using it so long that the idea of switching is something they wouldn’t even entertain. Even if the EHR software has some issues, the practices know the problems and have found ways to work around them. Plus, I’ve heard from many about the kinship they have with the EHR software that they’ve had for so long.

The real question for these EHR companies is how well they’ll be able to retain their existing EHR user base and/or how well can they acquire new EHR users. At some point if they aren’t maintaining or growing their EHR user base, they won’t have the cash flow needed to continually improve the EHR system with changing technology and clinical requirements. Plus, considering the fast pace of technology, time and their legacy software creation starts to catch up with them.

Many of the best specialty specific EHR companies have been able to reach this category. Some are still in the seed funded or well funded categories, but most of the specialty specific EHR companies I’ve seen have reached the cash flow positive category or are really close to getting there. Most of them realized that they had a very specific EHR market and so they had to grow it slow, steady and focus on revenues early.

Next up, we’ll look at Large EHR Companies. Read all the posts in the EHR Company Funding Risks series.

Veriphyr HIT Gives Littlest Victims of Patient Identity Theft a Fighting Chance

Posted on May 24, 2012 I Written By

As Social Marketing Director at Billian, Jennifer Dennard is responsible for the continuing development and implementation of the company's social media strategies for Billian's HealthDATA and Porter Research. She is a regular contributor to a number of healthcare blogs and currently manages social marketing channels for the Health IT Leadership Summit and Technology Association of Georgia’s Health Society. You can find her on Twitter @JennDennard.

I recently came across a press release – “Veriphyr Donates Patient Privacy Breach Detection Service to Minnesota Hospital” – that gave me pause for two reasons. One being that I am always interested in news of charitable healthcare IT projects; and the second being that the subhead of the release further explained that the donation was made to a children’s hospital. Surely kids aren’t the victims of identity theft to such an extent that children’s hospitals are having to take precautions to prevent this type of crime, right? What could be done with an identity that hasn’t yet stepped into the world of banking, credit and loans?

Apparently, I’m pretty naive, because as a segment on NPR’s Morning Edition recently highlighted, “Identity theft is the fastest growing crime in America. Many identity theft victims are children and, because children don’t usually have reason to check their credit reports, the crime often goes undiscovered for years.” It also referred to a recent study by Carnegie Mellon University that found that more than 10 percent of 40,000 children had been victims of identity theft.

Utah, of all places, was highlighted in the audio segment because its attorney general’s office is piloting an online child identity protection service. I can’t help but wonder if they have ramped up efforts around anything to do with identity theft in the wake of the March 30th privacy breach that affected 780,000 Medicaid and CHIP beneficiaries, and the resultant resignation of the state’s IT director and apology from the governor.

I decided to get in touch with the folks at Veriphyr to learn more about why they chose to donate their patient privacy breach detection service to Gillette Children’s Specialty Healthcare  – a Children’s Miracle Network Hospital (CMNH). According to the release mentioned above, the service protects patients’ personal health information by detecting inappropriate access by hospital employees and other insiders. The company uses “big data” analytics to detect potential privacy and regulatory compliance violations, and data breaches.

Alan Norquist, Veriphyr’s founder and CEO, was kind enough to answer my questions:

Has Veriphyr ever donated technology before?
Alan Norquist: “As a corporate sponsor of Children’s Miracle Network Hospitals, Veriphyr donates a portion of each sale to our customers’ local CMNH hospital. The donation to Gillette Children’s is Veriphyr’s first donation of our services to a CMNH hospital.”

Why did Veriphyr choose to become involved in CMNH, and to make a donation to Gillette Children’s in particular?
“The Veriphyr management team wanted to give back to the community and based on the background of the team, they decided to get involved with a charity involving children’s health. We selected CMNH because they offer a program that is national in scope but has local impact. Most importantly, 100 percent of our donations directly benefit children’s health – none is used for CMNH administrative costs.

“Veriphyr decided to expand our involvement by giving our Patient Data Privacy service to one CMNH hospital this year. We chose Gillette Children’s Specialty Hospital because of its internationally recognized work in the diagnosis and treatment of children and young adults who have disabilities or complex medical needs.”

Is there a timeframe or other restrictions associated with donation of the technology?
“Veriphyr will provide privacy breach detection and user access compliance services to Gillette Children’s Specialty Healthcare for one year.”

It seems we read about hospital privacy breaches on a weekly, if not daily, basis. Why does Veriphyr feel they are becoming so frequent? What should healthcare systems be doing to protect themselves that many tend to overlook?
“One reason for the increase in hospital privacy breaches is that criminals have recognized that the value of medical records is greater than other forms of data. The wealth of personal information contained in medical records can be used in a range of criminal activities including medical id theft, tax refund theft, and more. This has made hospitals a prime target.

“In response, healthcare organizations have implemented appropriate policies and training. Now, leading hospitals are taking the next step and deploying proactive services like Veriphyr’s that detect patient privacy data breaches.”

It is comforting to think that hospitals are now taking such proactive steps, especially in light of national news that criminals think nothing of taking advantage of our most vulnerable population.

Better EMR Design

Posted on May 23, 2012 I Written By

Priya Ramachandran is a Maryland based freelance writer. In a former life, she wrote software code and managed Sarbanes Oxley related audits for IT departments. She now enjoys writing about healthcare, science and technology.

Now that we’ve heard the statistics about EMR use, we’re also hearing a lot of opinions on EMRs, and not all of them are laudatory. In fact I read some separate articles recently, and they pretty much said the same things in so many different words:

– EMRs are not intuitively designed. They do not reflect actual workflows that most doctors or hospitals follow. Rather the applications look like they’ve been designed by a bunch of programmers who then design the UI to look like how they’re underlying data are structured.
– Because they’re pretty much being foisted on hospitals and doctor’s offices through “incentive” programs, often the resources expended on them are sunk costs. To improve the workflow of a software to accurately reflect the needs of a particular hospital, you will need to pump extra money into it. That’s about as likely to happen as a software vendor providing you a customized solution without charging you anything extra.

Let me assure you – the medical establishment has it exactly right, at least in my experience. I work as a technical writer, so much of my working life consists of documenting the products that make it to your doorsteps, and I have experienced some of the same frustrations as you. I’ve complained about them, made myself unpopular with development teams and added my two cents to feature request lists, just like many of you.

But, I also see things from a programming perspective too, and I’m here as a sort of ambassador between both worlds. Many teams I worked with had an actual designer working as part of the team.
But the designer’s role was often making the colors look attractive enough, or the font large enough to appeal to a cross-section of users. One of my old bosses, different industry and everything, called this our Lipstick on a Pig game, and plenty of times that’s what the designer’s role was. Inventing plenty of shades of lipstick for the proverbial pig.

Ergonomic design was not what the designer was tasked with doing. One place I worked at even had a doctor on payroll. Except he had a doctor’s degree from Shanghai, had not cleared his exams in the States and had no idea how medicine is practiced in the States. It sure looked good on paper when their sales team went out to clients and talked about having a dedicated doctor on staff to help with software design.

And the effect of poor design on functionality is often perplexing, sometimes disastrous. Case in point – documenting all the drugs administered to a patient. It has been drilled into programmers that clicks are sacred things, you don’t want doctors wasting too many of them.

So because we don’t want too many clicks, we list each and every medication a patient has been administered, add some pagination logic around it and call it a day.

The doctor, who is the end user, for whom we designed this software system, now sees all the information in a “convenient” list and doesn’t need to open up a medication tree to view the medications under it. Except if she has a very sick patient with multiple encounters, the case history reveals a medication that is 31 pages deep. To get to Xanax, she might have to page through 30 previous pages.

While these “features” fall into the realm of merely annoying, they’re nowhere as disastrous as those modal alerts that Barbara J. Moore talks about in her KevinMD piece. A modal window is one of those annoying windows that you have to take an action on, otherwise you can’t proceed any further in your workflow. Moore points out the hazards of such alerts which force a doctor to take a choice, any choice, but aren’t available later if the doctor wishes to review the alerts at leisure.

So yes, software vendors need people who know the workflow to design the systems. But more importantly, you – the medical establishment – must keep requesting changes or suggesting features, or vendors will remain complacent about what they put out.

EHR Company Funding Risks – Well Funded EHR Companies

Posted on May 22, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This is the second post in my EHR Company Funding Risks series that was started in response to my original post about the The Current Health IT & EHR Bubble. In this series, we’re looking at the following EHR company categories: Seed Funded, Well Funded, Positive Cash Flow, Large EHR Company, and Large Company Backed EHR. Next up is Well Funded EHR companies.

Well Funded EHR Companies
These EHR companies are those that have moved past the beta phase of their EHR and have usually gotten a large second round of funding that will allow them to work on scaling their EHR user base. This is where I see the largest number of what most would consider “startup” EHR companies. They usually have a few million in the bank and somewhere between 50-200 doctors on their platform.

With the money in the bank, most of these EHR companies have a number of years of runway to be able to see their EHR company play out. They still haven’t made it to what I call the EHR promise land of 1000+ doctors on their platform, but they have enough money to try and reach that goal over the next couple years.

The risk for a practice choosing one of these well funded EHR companies is what will the EHR vendor choose to do once they reach 1000+ doctors. Will they sell the company off to someone else (which almost never ends well for the practice)? Or do these EHR vendors have the staying power and desire to go after something much larger? The other risk is that the EHR company will only ever have a few hundred doctors. When you’re a well financed EHR company that doesn’t gain traction, this will usually end up in a fire sale of the EHR to some other company who wants to acquire the users you do have.

Despite the risks mentioned above, many really love these “startup” EHR companies that have plenty of funding. They’re usually very responsive companies that are able to have a real personal touch with their users. They usually have some unique selling proposition which the practice found so intriguing in the first place.

Most of the Free EHR vendors fit in this or the previous seed funded category as well. However, the amount of funding that the Free EHR vendors require is a multiple higher because they usually need to be able to reach a certain install base before their revenue model kicks in. The other principles are very much the same. Although, most of the free EHR vendor revenue models require a large user base. The Free EHR promise land is probably closer to 10,000 and some might argue that to really make it work they need 100,000+.

Next up, we’ll look at Positive Cash Flow EHR Companies. Read all the posts in the EHR Company Funding Risks series.

ONC Wants Medical Practices To Have A Privacy and Security Officer

Posted on May 21, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @annezieger on Twitter.

The Office of the National Coordinator for Health Information Technology (ONC)  has thrown down the gauntlet on HIPAA, challenging medical practices to select a privacy and security officer.  The ONC recommendation comes as part of a report outlining a 10-step plan to protect patient data.

While the advice it offers might be helpful to a range of providers, the report is largely focused on medical practices which are adopting EHRs and don’t have trained IT staffers to manage privacy protection and security, said Daniel Berger, president and CEO of Redspin Inc. in an interview with InformationWeek.  As practices shift from paper notes to digital records, there’s countless opportunities to slip up and have a data breach.

The problem may get worse as practices move up to Meaningful Use Stage 2, as this level of compliance will force practices to exchange data between providers.  Securing their own health data is hard enough; HIEs poses greater risks yet.

To make sure their data stays secure, a privacy officer is important but not sufficient. Other suggestions include:

*  Do a privacy/security risk analysis, and create an action plan to address problems found during the analysis

*  Develop written policies and procedures for protecting electronic protected health information

*  Educate and train employees thoroughly

*  Make sure business associate agreements  meet HIPAA standards and HITECH breach notification requirements

Though the ONC is trying to be helpful, I suspect that few medical practices are ready to follow these suggestions.  While practices certainly understand that HIPAA is a serious proposition, I’ll submit that few are ready to do a risk analysis. (After all, many medical practices haven’t had their EMR that long and are pretty overwhelmed just making it work for them.)

On the other hand, if practices name a privacy and security officer, train them and get them going now on risk analysis, it could result in a process of learning where knowledge diffuses out into the practice. Yup, I think that step will go along way on its own.